Attacks on Pay-TV Access Control Systems. Markus G. Kuhn Computer Laboratory



Similar documents
Broadcasting encryption or systematic #FAIL? Phil

Digital Video Broadcasting Conditional Access Architecture

Monitoring Conditional Access Systems

MXMedia CipherStream. Preliminary Assessment. Copyright 2012 Farncombe 1.0. Author: T F

Measurement and Analysis Introduction of ISO7816 (Smart Card)

ADVANCED IC REVERSE ENGINEERING TECHNIQUES: IN DEPTH ANALYSIS OF A MODERN SMART CARD. Olivier THOMAS Blackhat USA 2015

EV-8000S. Features & Technical Specifications. EV-8000S Major Features & Specifications 1

Computer and Set of Robots

How Pay-TV becomes E-Commerce

MPEG-2 Transport vs. Program Stream

Side Channel Analysis and Embedded Systems Impact and Countermeasures

Smart Card Technology Capabilities

- Open Architecture/Interoperability Issues

Sample Project List. Software Reverse Engineering

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

CryptoFirewall Technology Introduction

DVCrypt Conditional Access System

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

Rfid Authentication Protocol for security and privacy Maintenance in Cloud Based Employee Management System

Today. Important From Last Time. Old Joke. Computer Security. Embedded Security. Trusted Computing Base

Privacy and Security in library RFID Issues, Practices and Architecture

Pro:Idiom System Description

DIRECT TO HOME TELEVISION (DTH)

SSL A discussion of the Secure Socket Layer

SMiT Professional CAM User Guide

SecureDoc Disk Encryption Cryptographic Engine

Qiong Liu, Reihaneh Safavi Naini and Nicholas Paul Sheppard Australasian Information Security Workshop Presented by An In seok

CS 758: Cryptography / Network Security

From Digital Television to Internet? A general technical overview of the- DVB- Multimedia Home Platform Specifications

Network Security. HIT Shimrit Tzur-David

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Dazzle. Digital Video Creator 100 User s Guide

Atmel Norway XMEGA Introduction

R&S AVG050 DVB Satellite Receiver Compact DVB-S and DVB-S2 satellite demodulator

RVS Seminar Deployment and Performance Analysis of JavaCards in a Heterogenous Environment. Carolin Latze University of Berne

USB Portable Storage Device: Security Problem Definition Summary

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

Fighting product clones through digital signatures

MICROPROCESSOR. Exclusive for IACE Students iacehyd.blogspot.in Ph: /422 Page 1

Product Information S N O. Portable VIP protection CCTV & Alarm System 2

Security and protection of digital images by using watermarking methods

Network Security. Security. Security Services. Crytographic algorithms. privacy authenticity Message integrity. Public key (RSA) Message digest (MD5)

SHE Secure Hardware Extension

Single channel data transceiver module WIZ2-434

Note monitors controlled by analog signals CRT monitors are controlled by analog voltage. i. e. the level of analog signal delivered through the

Appendix A. CMS(Client Management Software)

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft

IPsec Details 1 / 43. IPsec Details

Experimental DRM Architecture Using Watermarking and PKI

An architecture for the delivery. of DVB services over IP networks Rennes, January 2007 INTRODUCTION DIGITAL VIDEO TRANSPORT

8051 MICROCONTROLLER COURSE

Message Authentication Codes

Higth definition from A to Z.

PowerKey Conditional Access System Phase 1.0. System Overview. Revision 1.0


Lesson 10:DESIGN PROCESS EXAMPLES Automatic Chocolate vending machine, smart card and digital camera

Quick Installation. A Series of Intelligent Bar Code Reader with NeuroFuzzy Decoding. Quick Installation

Real-Time DMB Video Encryption in Recording on PMP

MANUAL FOR RX700 LR and NR

Chapter 6 CDMA/802.11i

Method for Electronic Content. Distribution and Right Management. Abstract

Cable TV Headend Solutions

SENSE Security overview 2014

Projector Control Command Reference Manual

Client Server Registration Protocol

Alarms of Stream MultiScreen monitoring system

MyM 3T. User Manual. English

This high-performance TV signal analyzer provides analog/digital TV and satellite TV monitoring and provides various video decoding.

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

USB Portable Storage Device: Security Problem Definition Summary

HP4000EX Hardware Manual

reach a younger audience and to attract the next-generation PEG broadcasters.

DIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES

Smart Cards a(s) Safety Critical Systems

CRYPTOGRAPHY IN NETWORK SECURITY

9600 IP. Set Top Box. User s Guide

Introduction to Computer Security

ETSI TS V1.2.1 ( )

Hardware Security Modules for Protecting Embedded Systems

Technical Specification Digital Video Broadcasting (DVB); Content Scrambling Algorithms for DVB-IPTV Services using MPEG2 Transport Streams

Chapter 1 Lesson 3 Hardware Elements in the Embedded Systems Chapter-1L03: "Embedded Systems - ", Raj Kamal, Publs.: McGraw-Hill Education

8-Bit Flash Microcontroller for Smart Cards. AT89SCXXXXA Summary. Features. Description. Complete datasheet available under NDA

A secure login system using virtual password

PAL to NTSC (NTSC to PAL) Converter with 19 inch Rack (CDM-640AR)

Secure Cloud Storage and Computing Using Reconfigurable Hardware

Elettronica dei Sistemi Digitali Costantino Giaconia SERIAL I/O COMMON PROTOCOLS

CHAPTER 11: Flip Flops

Chapter 23. Database Security. Security Issues. Database Security

Chapter 23. Database Security. Security Issues. Database Security

Overview of Symmetric Encryption

EXAM questions for the course TTM Information Security May Part 1

Application Note AN-00160

CHAPTER 7: The CPU and Memory

Athena Smartcard Inc. IDProtect Key with LASER PKI FIPS Cryptographic Module Security Policy. Document Version: 1.0 Date: April 25, 2012

Transcription:

Attacks on Pay-TV Access Control Systems Markus G. Kuhn Computer Laboratory

Generations of Pay-TV Access Control Systems Analog Systems remove sync information, try to confuse gain-control in receiver, etc. cryptography is not essential part of decoding process still dominant type for most cable-tv premium channels Hybrid Systems broadcasted signal conforms to analog TV standard (PAL, D2MAC, NTSC, SECAM) analog signal scrambled with digital framebuffer using a cryptographically transmitted control word fully cryptographic subscription management using smartcards examples: VideoCrypt, EuroCrypt (EN 50094), Syster Nagravision Digital Systems broadcasted signal is digitally modulated, encrypted, and multiplexed MPEG-2 audio and video data stream cryptographic subscription management using smartcards as with hybrid systems examples: DVB, DSS/VideoGuard

Example of a Hybrid System: VideoCrypt CPU1 CPU2 ADC SATreceiver FIFO-1 FIFO-2 Scrambler Smartcard DAC TV OSD EPA 0428252 A2 Features: scrambling by active-line rotation, requires only memory for one single image line vertical-blank-interval data contains 32-byte messages with blacklist/whitelist data smartcard calculates 60-bit MAC as control word from 32-byte messages every 2.5 s CPU1 salts control word with frame counter to generate 60-bit PRNG seed per frame Scrambler uses 60-bit seed to generate cut-point sequence per frame

An Image Processing Attack on VideoCrypt unscrambled source signal broadcasted scrambled signal result of cross-correlation with edge detector avoids horizontal final b/w descrambling result obtained cutpoints marked penalty zones around cut points without knowledge of card secret

The VideoCrypt Smartcard Protocol Flow control ISO 7816 T=0 protocol: sent by decoder /smartcard CLA INS P1 P2 P3 INS DATA[1]... DATA[P3] SW1 SW2 Instructions INS length (P3) sent by purpose 70h 6 card card serial number 72h 16 decoder message from previous card 74h 32 decoder message from broadcaster 76h 1 decoder authorize button pressed 78h 8 card control word (MAC of 74h) 7ah 25 card onscreen display message 7ch 16 card message to next card 7eh 64 card Fiat-Shamir squared random number 80h 1 decoder Fiat-Shamir challenge bit 82h 64 card Fiat-Shamir response

VideoCrypt or How not to use the Fiat-Shamir ZKT Protocol Decoder INS 70h: card number V (48 bits) Smartcard INS 7eh: X = R² mod N (512 bits) (knows secret S with S² = V mod N, INS 80h: Q (1 bit) where N = p q) INS 82h: Y = R Y = R S mod N if Q = 0 if Q = 1 Decoder receives Q periodically from broadcaster and forwards it to the smartcard Decoder is supposed to reject smartcard if the following test fails (first generation did not): Y² = X mod N if Q = 0 Y² = X V mod N if Q = 1 Attack Decoder has no memory to verify that X is different each time, so pirate card just observes V, R, R² mod N, and R S mod N from any card and replays those values each time.

Replay attacks against VideoCrypt Vulnerabilities 1) all VideoCrypt smartcards working on the same channel reply identically 2) the scrambled VideoCrypt signal can be replayed with a normal home VCR Real-time card sharing (old proposal, not implemented) One owner of a genuine card provides the control words in real-time via wire or radio to owners of decoders without a card (60 bits every 2.5 s). Offline Internet card sharing (common practice!) One owner of a genuine card records control words and synchronization information for a specific show (say Star Trek on Sunday, 18:00) in a VideoCrypt Logfile (VCL) and publishes this on her Web page. Decoder owners without card record the scrambled programme, then download VCL file and put decoder between VCR and TV. A PC then emulates card and replays control words from VCL file. VideoCrypt Broadcast Logfiles (VBL) allow a posteriori VCL file generation. Potential risk Covert channel might identify card owner in public VCL files, therefore use VCL voter

Secret Hash/MAC Algorithms in VideoCrypt Smartcards Hash and Signature Check Structure: j = 0; answ[0..7] := 0; for i:=0 to 26 do round(msg[i]); b := 0; for i:=27 to 30 do round(b); round(b); if answ[j]!= msg[i] then signature wrong j := (j + 1) mod 8; only in P07 b := msg[i]; in P09 handle nanocommands here for i:=1 to 64 do round(msg[31]); Input: msg[0..31] Output: answ[0..7] all variables are 8-bit unsigned Round Function in BSkyB P07: parameter p answ[j] := answ[j] xor p; c := sbox[answ[j] / 16] + sbox[answ[j] mod 16 + 16]; c := rotate_right(rotate_left(not c, 1) + p, 3); j := (j + 1) mod 8; answ[j] := answ[j] xor c; P09 card used completely different round function

BSkyB P09 Structure of 32-byte Message in Instruction 74h 0 1 2 3 4 5 6 7 8 9 10 11 26 27 28 29 30 31 e8 43 0a 88 82 61 0c 29 e4 03 f6 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 fb 54 ac 02 51 months since 1989 channel subcommand code xor x[0] address prefix xor x[0..3] address suffixes or ECM nanocommands signature checksum random byte XOR Scrambling: Subcommands: Nanocommands: a := msg[1] xor msg[2]; 00 deactivate card cause calculated jumps into swap_nibbles(a); 01 deactivate Sky Movies highly obscure machine code, b := msg[2];... many add additional rounds, for i:=0 to 3 do 20 activate card some read or write RAM or b := rotate_left(b, 1); 21 activate Sky Movies EEPROM locations, the b := b + a;... nanocommand interpreter x[i] := b; 40 PPV management is designed to be extremely 80 ECM nanocommands non-portable and difficult to... understand

Conductive Silver Ink Attack on the BSkyB P10 Card view from non-pad side VCC RST CLK VCC RST CLK BICMOS18 M6007E001 VCC RST ASIC µc GND to µc I/O CLK GND ROM to ASIC 5754 ISD F2 D2 M3 Drill two holes from pad side with 1 mm drill and fill holes with conductive silver ink to establish contact with free pads free pad GND GND pad I/O VPP pad (free) Cut line from pad side with sharp knife M. Kuhn

Some Pay-TV Pirate Devices "Battery-powered smartcard", Megasat Bochum Conductive silver ink attack on BSkyB P10 card (top), with card CPU replaced by external DS5002FP (right) BSkyB P9 deactivation blocker ISO 7816 to RS-232 adapter (Season7)

Access Control for Digital Video Broadcasting (DVB) receiver demodulator error correction common interface conditional access module MPEG stream demultiplexer MPEG audio decoder MPEG video decoder data interface TV PC Access control issues: Standardization of complete access control system was politically not possible Standardization of Common Interface (PCMCIA slot) to allow plug-in access control Standardization of Common Scrambling Algorithm will at least allow SimulCrypt, where different access control systems can decrypt the same control words in order to descramble the same programme

Idea Robust Key Management Scheme for Pay-TV Smart Cards Every card contains a subset of L=10 keys out of a pool of K L=300 keys K i,j which are used for session key uploads CL If pirates open C=20 cards, only (1-(1-1/K) ) = 0.08% of the genuine cards have to be replaced to recover confidentiality of session key updates Example L=6, K=5, C=2 K 1,1 K K K K 1,2 1,3 1,4 1,5 K 2,1 K K K K 2,2 2,3 2,4 2,5 K 3,1 K K K K 3,2 3,3 3,4 3,5 K 4,1 K K K K 4,2 4,3 4,4 4,5 K 5,1 K K K K 5,2 5,3 5,4 5,5 K 6,1 K K K K 6,2 6,3 6,4 6,5 Compromised Key Key in an uncompromised card Single rows or all uncompromised keys are used for session key uploads Each card knows one key per row Cards that know only compromised keys have to be replaced

Lessons Learned from Pay-TV Piracy Every security microcontroller and ASIC will be reverse engineered within weeks if pirates see a chance to make a million dollars profit from doing it Routine recovery from attacks by ECMs, key updates, exchange of security modules, etc. must already be planned for in the design phase of a large scale cryptographic application Today s EEPROM processor smart card technology is unsuitable for holding global secrets Continuous pirate market observation and analysis of pirate devices becomes routine activity for any consumer multimedia access control system operator Obfuscated programming, customized processors, and other portability surprises in security module software are successful for only a few days and should be replaced by more flexible key management (Kerckhoffs principle) Analog and hybrid pay-tv systems do not provide signal confidentiality and will eventually be broken by real-time image processing attacks

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information